Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

matrix-synapse: CVE-2018-12423: unauthorised users can hijack rooms when there is no m.room.power_levels event in force

Related Vulnerabilities: CVE-2018-12423  

Source

Debian Bug report logs - #901549
matrix-synapse: CVE-2018-12423: unauthorised users can hijack rooms when there is no m.room.power_levels event in force

version graph

Package: src:matrix-synapse; Maintainer for src:matrix-synapse is Matrix Packaging Team <pkg-matrix-maintainers@lists.alioth.debian.org>;

Reported by: Andrej Shadura <andrewsh@debian.org>

Date: Thu, 14 Jun 2018 16:51:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in version matrix-synapse/0.31.1+dfsg-1

Fixed in version matrix-synapse/0.31.2+dfsg-1

Done: Andrej Shadura <andrewsh@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/matrix-org/synapse/pull/3397

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Matrix Packaging Team <pkg-matrix-maintainers@lists.alioth.debian.org>:
Bug#901549; Package src:matrix-synapse. (Thu, 14 Jun 2018 16:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Andrej Shadura <andrewsh@debian.org>:
New Bug report received and forwarded. Copy sent to Matrix Packaging Team <pkg-matrix-maintainers@lists.alioth.debian.org>. (Thu, 14 Jun 2018 16:51:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andrej Shadura <andrewsh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: matrix-synapse: unauthorised users can hijack rooms when there is no m.room.power_levels event in force
Date: Thu, 14 Jun 2018 18:47:04 +0200
Source: matrix-synapse
Version: 0.31.1+dfsg-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/matrix-org/synapse/pull/3397

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- From https://matrix.org/blog/2018/06/14/security-update-synapse-0-31-2/:

> …we are releasing a security update of Synapse (0.31.2) today which
> changes the rules used to authenticate power_level events, such that
> we fail-safe rather than fail-deadly if the existing auth mechanisms
> fail. In practice this means changing the default power level required
> to set state to be 50 rather than 0 if there is no power_levels event
> present, thus meaning that only the room creator can set the initial
> power_levels event.

See also https://github.com/matrix-org/matrix-doc/issues/1304
(Proposal to simplify the auth rules of m.room.power_level events.)

-----BEGIN PGP SIGNATURE-----

iQFIBAEBCAAyFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAlsinAYUHGFuZHJld3No
QGRlYmlhbi5vcmcACgkQXkCM2RzYOdKFbQf8CmUFQ7Cnf1gq15BzZ7DW5wdHFSF2
mtCHGSGQQksyjuSw+Lz3Unqil3YRI9Z8hvPM/oCadFH19JxSBPRhW2a90WjZ67V4
8Vcn2l1VC4mLd98Ms38v1j7TiU2Qa3gfadk6+YIXq51D5OC8LXRKozoVHH0XJ0yG
3iV8LodPqL2D5wcDuQry8uZ4tEH3lhQbzqIjZKKeJp2WhFZBCuAU98DYjL7plqph
36Ce41+0z4zJXYi8DQ55MPOskOqYCOHFUZxTBw8umhwfK32xD9ao+Qfv27Poh0YT
M6EgZjkKqBBBVZc8NzvuEmHSHMcjI1FdlpZFHhy0DhYmkpPwJ3RHyW+k7g==
=5wg3
-----END PGP SIGNATURE-----

Reply sent to Andrej Shadura <andrewsh@debian.org>:
You have taken responsibility. (Thu, 14 Jun 2018 17:09:08 GMT) (full text, mbox, link).

Notification sent to Andrej Shadura <andrewsh@debian.org>:
Bug acknowledged by developer. (Thu, 14 Jun 2018 17:09:08 GMT) (full text, mbox, link).

Message #10 received at 901549-close@bugs.debian.org (full text, mbox, reply):

From: Andrej Shadura <andrewsh@debian.org>
To: 901549-close@bugs.debian.org
Subject: Bug#901549: fixed in matrix-synapse 0.31.2+dfsg-1
Date: Thu, 14 Jun 2018 17:05:55 +0000
Source: matrix-synapse
Source-Version: 0.31.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
matrix-synapse, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 901549@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andrej Shadura <andrewsh@debian.org> (supplier of updated matrix-synapse package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 Jun 2018 18:53:36 +0200
Source: matrix-synapse
Binary: matrix-synapse
Architecture: source
Version: 0.31.2+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Matrix Packaging Team <pkg-matrix-maintainers@lists.alioth.debian.org>
Changed-By: Andrej Shadura <andrewsh@debian.org>
Description:
 matrix-synapse - Matrix reference homeserver
Closes: 901549
Changes:
 matrix-synapse (0.31.2+dfsg-1) unstable; urgency=high
 .
   * New upstream release:
     - SECURITY UPDATE:
       Prevent unauthorised users from setting state events in a room
       when there is no m.room.power_levels event in force in the room.
       (Closes: #901549)
Checksums-Sha1:
 923eb7cfdcc40d9cee28625002e3b23c2fea694f 2446 matrix-synapse_0.31.2+dfsg-1.dsc
 8ccbcaa85a7f9984912e04bfe60029db17bb071e 931855 matrix-synapse_0.31.2+dfsg.orig.tar.gz
 1f2b6e11ead3332816f636ed04f5a8f4cd7a6bcf 85900 matrix-synapse_0.31.2+dfsg-1.debian.tar.xz
Checksums-Sha256:
 358543705f1467764e7e90ecf0b5695118ab5e440d8415b76dbc5441381c56f1 2446 matrix-synapse_0.31.2+dfsg-1.dsc
 a24a81d397d275718e5eef526f4cf194262730c14c77b4e7af8943e7fa608b47 931855 matrix-synapse_0.31.2+dfsg.orig.tar.gz
 d2dead7ca85f0df37b5b55226d26cc69ce2f76cadcd328be3b1db9699adb33f3 85900 matrix-synapse_0.31.2+dfsg-1.debian.tar.xz
Files:
 14d130a5883fad665961668d2129bb4b 2446 net optional matrix-synapse_0.31.2+dfsg-1.dsc
 6e179c338d050fcf897213172b4cad0b 931855 net optional matrix-synapse_0.31.2+dfsg.orig.tar.gz
 21381ce4bb0c27dfb8dfcd90d24d6145 85900 net optional matrix-synapse_0.31.2+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAlsincwACgkQXkCM2RzY
OdIhQwf+LCdWB/2VZc5FIPC1KbKgws+f/jpNlGk0NuakLsYxNVA50fFBn9eXK2Wo
h/4P77E5r2wJvCIG4390rNeZxzi80qmcf7fN6IV1ofw6GH8P7yt8zi272kSNchhm
m7mgmqMOEDKkbwYBUQIPlDg/ArE+ZyZvF+XgbYEZ3Ps5Ll2pzlOrpiCZNKfWzOJB
5ft2e2nryq/1FI9GgdPT8hGuTaIiX/iU+tIBwrtDRteaV9bYbbplTWwC2D8e1ubJ
u90bdg2qdyK0jjP7FdPBXvdWLI6tIrY9+uCHn9glpfNb9Fnw0mALhemREgPaIuha
uLOKOc1NcEptCRbVV/iunf1HCx0SAA==
=cat2
-----END PGP SIGNATURE-----

Changed Bug title to 'matrix-synapse: CVE-2018-12423: unauthorised users can hijack rooms when there is no m.room.power_levels event in force' from 'matrix-synapse: unauthorised users can hijack rooms when there is no m.room.power_levels event in force'. Request was from Andrej Shadura <andrewsh@debian.org> to control@bugs.debian.org. (Thu, 14 Jun 2018 21:54:03 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 15 Oct 2018 07:28:22 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:17:56 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started